10 Core steps to build a compliant AI programme

AI tools can add huge value — automation, better insights, faster decisions — but they also raise legal and ethical risks.

These 10 core steps are based on questions raised during the How to build a compliant AI programme webinar from earlier this year by our Partners VinciWorks.

1. Define scope and purpose

• List every AI system in use (including vendor tools and cloud services).
• Record the business purpose, inputs, outputs and user groups for each tool.
• Prioritise systems that affect people decisions (recruitment, pay, discipline, promotion).

2. Carry out tailored risk assessments

• Do an AI-specific risk assessment before deployment. Treat it like a Data Protection Impact Assessment (DPIA) where relevant.
• Assess harms: privacy, bias, inaccurate decisions, safety, reputational damage.
• Score risk by likelihood and impact. Use higher governance for high-risk systems.

3. Ensure lawful data handling

• Map data flows: where data comes from, how it’s processed, where it’s stored, who can access it.
• Check legal bases: consent, contractual necessity, legitimate interest — ensure documentation.
• Apply data minimisation and retention rules. Delete or anonymise data where possible.
• Log data-sharing with third-party vendors and subprocessors.

4. Choose and manage vendors carefully

• Ask vendors for model details: training data sources, performance metrics, bias testing, update cadence.
• Require contractual security, transparency and audit clauses.
• Check vendor certifications and security reports (ISO 27001, SOC 2, penetration tests).

5. Build human oversight and decision governance

• Define which decisions are automated and which require human sign-off.
• Create clear escalation paths for model failures or disputes.
• Train decision-makers to interpret model outputs and spot false positives/negatives.

6. Test for fairness and performance

• Run pre-deployment tests on representative datasets.
• Monitor for bias across protected characteristics (age, sex, race, disability).
• Track false positive/negative rates and accuracy drift over time.

7. Transparency and communication

• Tell employees when and why AI is used, and how it affects them.
• Publish simple explainers and appeal routes for automated decisions.
• Keep internal stakeholders (IT, Legal, DPO, Works Council) informed during design and deployment.

8. Build training and competency

• Train HR, managers and frontline staff on AI limits, risks and oversight responsibilities.
• Include scenario-based training: “what to do if the model gives an unexpected result”.
• Use short, repeatable modules — refresh periodically.

9. Incident response and continuous monitoring

• Add AI incidents to your existing security and privacy incident process.
• Monitor models in production for performance drift, unusual activity and complaints.
• Keep a register of incidents, fixes and post-incident reviews.

10. Record-keeping and audit trails

• Keep deployment records, tests, risk assessments, model versions and approvals.
• Make records accessible for audits, regulators and internal reviewers.
• Version models and document changes to training data or parameters.

Common webinar FAQs — short answers

Q: Do we need a DPIA for every AI tool?

A: Not always. If the tool processes personal data in a way that poses high risk to individuals (profiling, automated decisions), a DPIA is required. For lower-risk tools, a proportionate risk assessment is enough.

Q: How transparent do vendors need to be?

A: Enough to show data sources, performance metrics, security posture and bias testing. If a vendor refuses basic transparency, treat that as a red flag.

Q: Can we rely on vendor assurances alone?

A: No. Use vendor-provided evidence but perform your own tests and governance checks. Contractual rights to audit and data access are essential.

Q: How often should we retrain or retest models?

A: Regularly. At minimum, set monitoring thresholds and retest when data, use-cases or performance drift occur. High-risk models need scheduled retesting (quarterly or monthly depending on risk).

Q: What about employee consent?

A: Consent is one lawful basis, but for employer-employee contexts legitimate interest or contractual necessity is often more practical. Always document the lawful basis and balance test.

Q: How do we handle requests or appeals from employees?

A: Provide a clear appeal process and human review for automated decisions that materially affect employees.

Read Full list of questions and answers from the webinar on VinciWorks Website – https://vinciworks.com/blog/how-to-build-a-compliant-ai-programme-the-webinar-faqs/

Summary

A compliant AI programme reduces risk and builds trust across your organisation. Focus on four things:

• Know what your AI does and why you use it (purpose).
• Protect the people represented in your data (privacy and fairness).
• Keep humans in control (oversight and escalation).
• Document everything (audit trails and training).